Zero-day Java flaw exploited in targeted tax email malware attack

Filed Under: Featured, Java, Malware, SophosLabs, Spam, Vulnerability

VAT at 20%. Image from ShutterstockExperts at SophosLabs have discovered that cybercriminals have taken advantage of the critical zero-day flaw vulnerability in Java, sending out malicious emails which pretend to come from an accountancy firm announcing a rise in the tax rate.

Unsuspecting internet users who click on links contained inside the email - perhaps concerned that there has been a rise in the VAT rate - risk instantly infecting their computers.

SophosLabs discovered the email in one of its global network of spamtraps. The email purported to be from the Dutch branch of the accountancy firm BDO Stoy Hayward:

Malicious email. Click for fuller version

From: BDO Accountants & Adviseurs <helmond@bdo.nl>

Of course, the email doesn't really come from the accountancy firm. A closer look discovers that it has been sent from a hosting provider in the Netherlands:

Received: from tandarts by cpanel1.redbee.nl with local (Exim 4.77)
(envelope-from <tandarts@cpanel1.redbee.nl>)

The subject line (which is in Dutch) reads as follows:

Subject: Let op! BTW tariefverhoging per 1 oktober 2012

Google translates the subject as:

Attention! VAT rate increase per 1 October 2012

The email's message body can be translated as follows:

Dear Sir or Madam,

As you may have already understood, the high rate of turnover tax by October 1, 2012 increased from 19% to 21%.

The moment of conduct performance (either date of sale / supply of goods or services) determines the amount of the VAT rate.
The invoice date on the sales receipt is not (!) Important for the handle VAT rate (or for the period of turnover tax).

Look what the VAT increase for you can mean. You will also find useful tips to correct the increased VAT to implement in your organization.

For entrepreneurs, the VAT increase sales or no additional cost. For individuals, prices will rise.
Keep an eye on the changes, an error using the correct VAT rate may result in additional tax.

For further details and answers to other questions, please visit the dedicated webpage, prepared by the Ministry of Finance.

Normally, we would expect the link to go straight to a phishing site but here under the folder 'tariff' (in Dutch it's 'tarieven') is an obfuscated script that attempts to load an applet detected by Sophos products as Exp/20124681-A - malicious code which exploits the current Java zero-day vulnerability.

Although this particular attack uses Dutch language to try to trick users into following the link there is, of course, no reason why cybercriminals wouldn't also try similar tactics in other more commonly-used languages too. So, no-one should be complacent about the threat posed by this Java vulnerability.

We recommend disabling Java or downgrading to Java 6 on any systems with humans actively interacting with internet-enabled applications.

Chet Wisniewski's recent article about the Java zero day vulnerability gives details about how to disable Java:

Sophos Anti-Virus on all platforms detects and blocks the various components of this malware as follows:

* Exp/20124681-A: the malicious Java code exploiting CVE 2012-4681.

Rise in VAT roadsign image from Shutterstock.

, , , , , ,

You might like

39 Responses to Zero-day Java flaw exploited in targeted tax email malware attack

  1. Matthias · 594 days ago

    Downgrading to Java6, not really your suggestion or? Getting rid of a 0-day exploit and get instead 20 other exploitable bugs.

    I would suggest to disable java or use extensions like noscript for firefox or enable user acceptance in chrime browser for each java applet.

    • Dave · 594 days ago

      Java 6 is still supported by Oracle, and is updated on the same patch cycle as Java 7. (any bugs present in both are patched at the same time)

  2. Deception · 594 days ago

    How Do You Disable Java In RockMelt?

  3. DLW · 594 days ago

    My relative got an email from a friend's account this week. The friend passed away of cancer in early July!! The email was really upsetting especially as it was selling Islamic literature. They traced it back to Iran. All very curious and upsetting!!

  4. Charlie Cummings · 575 days ago

    How do you disable it?

  5. Willard C Smith III · 575 days ago

    I have on my PC but my girl plays on POGO and needs Java.

  6. Angie Kenny · 575 days ago

    You can't disable Java,its part of all software in some way

  7. Mervyn Milliken · 575 days ago

    Disabled mine & my browser seems to be running faster.

  8. Mike Muhieddine · 575 days ago

    Java "CAN" be disabled but not something done by a normal user.

  9. David Richards · 575 days ago

    @Charlie. Have a read of the article posted two hours ago, which explains 'How to turn off Java'.

  10. Eva Robinson Newby · 575 days ago

    I disabled mine....and everything is still working just fine. If I should come across something that says that I need Java.... I can simply go to the tool bar at the top and turn it on!

  11. Walt Courtenay · 575 days ago

    Easy to do, though.

  12. Robert Mcdonald · 575 days ago

    click where it says zero-day etc,on that page is link on how to disable

  13. Dolly Pardon · 575 days ago

    If you use Firefox, you can get No Script add-in that let's you decide when to allow Java to run.

  14. Rick Stricker · 575 days ago

    In the case of this email, the smart recipient won't click the link. There are countless ways an infected email can cause problems, so disabling Java isn't enough. The best defense is a savvy user.

    Java is in wide use all over the web. Disabling it altogether is like taking the wheels off your car to prevent accidents.

    Oracle needs to take immediate action to close the security flaws. Until that happens, the suggestion to make Java only run on demand is a good one.

  15. Charlie Cummings · 575 days ago

    @David No I haven't. Where's the link to it?

  16. Kevin Woolley · 575 days ago

    Disabled mine in two seconds and I'm a normal user so laughs @ mike

  17. Ann Cardon · 575 days ago

    I took it off my computer until oracle comes up with a patch.

  18. El Lörn · 575 days ago

    Is there a way to disable it for firefox and ie in a corporate environment? Like a batch script or something? For firefox maybe just renaming the plugins directory under program files/java/jre7/plugins2 ?

  19. Amei Luffman · 575 days ago

    read one article (didn't read this one again so it may or may not have been in this one) saying it targeted Java 7, not 6. Since several things I do need Java, I uninstalled 7 and replaced it with 6. What do you think, good enough or being stupid?

  20. David Book · 575 days ago

    My chrome broswer has java ver 10

  21. Martha Rogers Henigan · 575 days ago

    Instructions for windows explorer are for 7, I have 9. I was able to disable it very easily. My pc does seem a little faster also.

  22. Marion Patterson · 575 days ago

    Thanks for the help.

  23. Vicki Turner · 575 days ago

    I just did mine! I had a friend request from someone claiming to go to my highschool. I saw that a few of my classmates had already friended him. I waited because his name didn't sound right (David Simth) - this was the spelling. Later that day, my friends reported that their screens were locking up and when they questioned him he disappeared! Be careful to check our anyone that friends you that you don't know.

  24. Jesper Poulsen · 575 days ago

    Angie Kenny - That's not true. Java can be disabled. It can even be removed.

  25. Sandro サンドロ Della Giustina · 575 days ago

    An Java update is available: http://www.java.com/it/download/manual.jsp Someone knows if the vulnerability is fixed? I am unable to find the release notes for this version

  26. Anna Harris · 575 days ago

    I removed java7 and reinstalled java6, works like a charm. Java6 doesn't have that particular flaw.

  27. Cecilia de Kock · 575 days ago

    Can it affect my blackberry?? it is java enabled?

  28. Kevin J. O'Conner · 575 days ago

    How about not opening obvious spam in the first place? Or, if you receive a notice purporting to be from a site on which you have an account, going directly to the site rather than clicking on the link in the message? Seems to me that a lot of these vulnerabilities could be avoided if folk would just exercise some sense in these instances.

  29. Beth Anderson · 575 days ago

    I disabled my Java this morning. Computer's working fine.

  30. Simon Ch · 575 days ago

    I'd recommend getting a NoScript plugin. That way nothing runs, let alone Java unless you say so.

  31. Kierie Childs · 575 days ago

    I need Java and specifically Java for my online college classes so I can't disable it unless I want to fail.

  32. Alan Harrison · 575 days ago

    Kierie, why not run two browsers, one for your college work with Java enabled, and one for everything else with Java disabled.

  33. Alan Harrison · 575 days ago

    @Anna Harris: NOOOOO! Taking Java back down to an earlier version will make you less safe, not more, as there are holes in earlier versions you have just "unpatched". Click the link in the article and follow the instructions!

  34. Doris Bixby · 575 days ago

    Warning

  35. Helen Smith · 575 days ago

    @Alan Harrison: re your comment to Anna Harris - I'm confused. One of the Sophos articles I just read said "We recommend disabling Java or downgrading to Java 6 on any systems with humans actively interacting with internet-enabled applications" So I guess what Anna said is correct?

  36. Jesus Manuel Castillo · 575 days ago
  37. Jo Rayner · 575 days ago

    hi i am getting emails that see to be mimicking my friends names on facebook .. on hovering over the addresses I can see they are not .. however the 1st time it happened I got caught out and it sent me to a viral link has anyone else had this happen and what can be done about it

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul O Baccas (aka pob) joined Sophos in 1997 after studying Engineering Science at Oxford University. After nearly 16 years, he has left Sophos to pastures new and will be writing as an independent malware researcher. Paul has: published several papers, presented at several Virus Bulletins and was a technical editor for "AVIEN Malware Defense Guide". He has contributed to Virus Bulletin and is a frequent contributor to the NakedSecurity blog.